By rssfeeds-admin The most alarming discovery is a critical SQL injection vulnerability in SAP S/4HANA, giving attackers a direct path to compromise core database operations.
Enterprise resource planning systems are the lifeblood of modern corporate infrastructure, and vulnerabilities of this magnitude represent a catastrophic risk to data integrity.
In total, SAP released fifteen new security notes this month, urging organizations to apply patches immediately to prevent potential network intrusions, massive data theft, and catastrophic system downtime.
Critical Threats in SAP Enterprise Systems
The defining highlight of this month’s release is SAP Security Note 3724838, which resolves a devastating SQL injection vulnerability inside the SAP Enterprise Search for Advanced Business Application Programming component of SAP S/4HANA.
Tracked as CVE-2026-34260, this critical flaw carries a near-maximum CVSS severity score of 9.6 out of 10.
If exploited, an attacker could execute malicious database queries, allowing them to read, modify, or permanently delete highly sensitive corporate financial data.
Simultaneously, SAP addressed another critical vulnerability affecting the SAP Commerce Cloud configuration.
Documented under CVE-2026-34263, with an identical CVSS score of 9.6, this missing authentication check enables external attackers to bypass security protocols entirely, leading to unauthorized system access and severe operational disruption in e-commerce.
Beyond the critical-rated flaws, the May 2026 update mitigates several high and medium-severity vulnerabilities that pose significant risks to internal enterprise networks.
SAP Security Note 3732471 patches a high-severity operating system command injection vulnerability within SAP Forecasting and Replenishment, designated as CVE-2026-34259 with a CVSS score of 8.2.
This flaw could allow a highly privileged local attacker to execute arbitrary commands on the underlying operating system, potentially paving the way for complete host takeover and lateral movement.
Furthermore, network administrators must patch a medium-severity command injection flaw in the SAP NetWeaver Application Server for ABAP, tracked as CVE-2026-40135.
| Security Note | CVE Identifier | Affected SAP Product | Severity Rating | CVSS Score |
|---|---|---|---|---|
| 3724838 | CVE-2026-34260 | SAP S/4HANA (Enterprise Search for ABAP) | Critical | 9.6 |
| 3733064 | CVE-2026-34263 | SAP Commerce Cloud | Critical | 9.6 |
| 3732471 | CVE-2026-34259 | SAP Forecasting & Replenishment | High | 8.2 |
| 3730019 | CVE-2026-40135 | SAP NetWeaver AS for ABAP | Medium | 6.5 |
| 3718083 | CVE-2026-40133 | SAP S/4HANA Condition Maintenance | Medium | 6.3 |
| 3727717 | CVE-2026-40137 | Business Server Pages Application | Medium | 6.1 |
| 3667593 | CVE-2026-0502 | SAP BusinessObjects BI Platform | Medium | 5.4 |
| 3721959 | CVE-2026-40132 | SAP Strategic Enterprise Management | Medium | 5.4 |
| 3716450 | CVE-2025-68161 | SAP Commerce Cloud (Apache Log4j) | Medium | 4.8 |
| 3726583 | CVE-2026-34258 | SAPUI5 (Search UI) | Medium | 4.7 |
| 3728690 | CVE-2026-27682 | SAP NetWeaver AS ABAP | Medium | 4.7 |
| 3713521 | CVE-2026-40136 | SAP Financial Consolidation | Medium | 4.3 |
| 3718508 | CVE-2026-40134 | SAP Incentive and Commission Management | Medium | 4.3 |
| 3735359 | CVE-2026-40129 | SAP Application Server ABAP | Medium | 4.3 |
| 3726962 | CVE-2026-40131 | SAP HANA Deployment Infrastructure | Low | 3.4 |
Other notable fixes include missing authorization checks across various business modules, such as SAP Strategic Enterprise Management and SAP S/4HANA Condition Maintenance.
Alongside dangerous cross-site scripting and cross-site request forgery vulnerabilities in the BusinessObjects Business Intelligence Platform.
SAP strongly recommends that all enterprise customers visit the official support portal and apply these patches on an emergency priority basis to protect their business-critical landscapes.
Delaying these crucial updates leaves environments exposed to severe exploitation, especially given the ease with which financially motivated threat actors can weaponize SQL injection and missing authentication flaws.
Security operations teams must ensure all impacted products, from SAP NetWeaver down to SAPUI5 and the SAP HANA Deployment Infrastructure deploy library, are updated to the latest secure versions to maintain a robust and impenetrable defensive posture.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.